Data Protection Policy

TODD Architects is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you.

TODD Architects “The Company” collects, stores and processes data relating to its employees and external contacts in order to manage the employment and professional relationship. This privacy notice sets down how the Company collects and uses information about you during and after your working relationship with us.

This privacy notice applies to current and former employees, workers and contractors. This notice does not form part of a contract of employment or any contract to provide services and may be updated at any time.

The Company is committed to protecting the privacy and security of your personal information. The Company is committed to being clear and transparent about how it collects and uses that data and to meeting its data protection obligations.

“Personal data” means recorded information we hold about you from which you can be identified. It may include contact details, other personal information, photographs, expressions of opinion about you or indications as to our intentions about you.  We will not necessarily hold, use or share all of the types of personal data described in this Privacy Notice. The specific types of data about you that we will hold, use and share will depend upon our relationship with you.

“Processing” means doing anything with the data, such as accessing, disclosing, destroying or using the data in any way.

We seek consent from everyone whose personal data we collect and administer explaining exactly what it will be processed for at the outset. Consent can be revoked at any time and will be reviewed on a regular basis.

Data Protection Principles

The Company will comply with data protection law (GDPR 2018).  This means that the personal information we hold about you must be:

  • Used lawfully, fairly and in a transparent way;
  • Collected only for valid purposes that we have explained to you clearly and not used in any way that is incompatible with these purposes;
  • Relevant to the purposes we have told you about and limited to those purposes only;
  • Accurate and kept up to date;
  • Kept only for such time as is necessary for the purposes we have told you about; and
  • Kept securely.

What Information Does the Company Collect and Process?

It can be factual (e.g. contact details or date of birth), an opinion about your actions or behaviour, or information that may impact you in a personal or business capacity.

  • Staff personal information comes from each employee internally, share it with the Senior Management Team, externally, the bank, HMRC, pension provider.
  • Client names and addresses: publicly available information, such as social media presence, events that clients have attended with us comes from securing new commissions and enquiries added to our US database Internally, share it with the Project Architects and support staff. Externally, share it with design team when lead consultant.
  • Consultant names and addresses, comes from securing new commissions and enquiries, added to our US database. Internally, share it with the Project Architects and support staff. Externally, share it with design team when lead consultant.
  • Suppliers’ names and addresses, comes from needing a service, e.g. cleaning, stationary, added to our US database. Internally, share it with the Project Architects and support staff.

Client’s, consultant’s and supplier’s details are retained on an Interested Parties Register which is reviewed annually.

Staff Personal information is retained by the HR Consultant, the Finance Director and Finance Manager.  Personal information which is on Union Square is only accessible by HR Consultant, Finance Director and Finance Manager.

Employee Data

The Company collects and processes a range of personal information (personal data) about you. Personal data means any information about an individual from which the person can be identified. This includes:

  • Personal contact details, such as your name, title, address and contact details, including email address and telephone number;
  • Date of birth;
  • Gender;
  • The terms and conditions of your employment;
  • Details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the Company;
  • Information about your remuneration, including entitlement to benefits such as pensions;
  • Details of your bank account, tax status and national insurance number;
  • Information about your marital status, next of kin, dependants and emergency contacts;
  • Information about your nationality and entitlement to work in the UK;
  • Copy of driving licence;
  • Details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave;
  • Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
  • Assessments of your performance, including appraisals, training you have participated in, performance improvement plans and related correspondence;

Please note CCTV footage is recorded by Titanic Quarter, please speak to the office manager if you would like a copy of their privacy policy.

The Company collects this information in a variety of ways. For example, data is collected through the application and recruitment process and during work-related activities throughout the period of working for us.

In some cases, the Company collects personal data about you from third parties, such as references supplied by former employers, or where required by a particular project, information from employment background check providers, information from credit reference agencies and information from criminal records checks permitted by law.

Data is stored in a range of different places, including in your personnel file, in the Company’s HR systems and payroll system, in other IT systems (including the Company’s email system) and on the Interested Parties Register.

Why Does the Company Process Personal Data?

The Company needs to process data to enter into an employment, general or sub-consultant contract with you and to meet its contractual obligations.

In addition, the Company needs to process data to ensure that we are complying with our legal obligations, for example, we are required to check an employee’s entitlement to work in the UK.

In other cases, the Company has a legitimate interest in processing personal data before, during and after the end of the employment or professional relationship.

Situations in Which We Will Use Your Personal Information as an employee:

Situations in which we will process your personal information are listed below:

In order to:

  • Make decisions about recruitment and promotion processes;
  • Maintain accurate and up-to-date employment records and contact details (including details of whom to contact in the event of an emergency), and records of employee contractual and statutory rights;
  • Check you are legally entitled to work in the UK;
  • Gather evidence for, and keep a record of, disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
  • Pay you and, in the case of employees, make deductions for tax and National Insurance;
  • Make decisions about salary reviews and compensation;
  • Operate and keep a record of employee performance and related processes;
  • keep records of training and development requirements;
  • Operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
  • Ascertain your fitness to work;
  • Operate and keep a record of other types of leave (such as maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the organisation complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
  • Ensure effective general HR and business administration;
  • Provide references on request for current or former employees;
  • Deal with legal disputes involving you or other employees, workers and contractors; and
  • Facilitate equal opportunities monitoring in the workplace.

If You fail to Provide Personal Information

If you do not prove certain information when requested, the Company may not be able to perform the contract we have entered into with you, such as paying you or providing a benefit. You may also have to provide the Company with data in order to exercise statutory rights, for example in relation to statutory leave entitlements.

Change of Purpose

The Company will only use your personal information for the purpose for which it was collected unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will advise you of this and explain the legal basis which allows us to do so.

You should be aware that we may process your personal information without your knowledge or consent where this is required or permitted by law.

How We Use Sensitive Personal Information

Any personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health conditions, sexual life or sexual orientation, or biometric or genetic data that is used to identify an individual is known as special category data:

  • Information about medical or health conditions, including whether or not you have a disability for which the Company needs to make reasonable adjustments;
  • Information about your criminal record;
  • Equal opportunities monitoring information, including information about your religion for fair employment monitoring as required by the Equality Commission NI
  • Child Support or Child Maintenance payments for payroll deduction purposes where notified by those agencies

Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (for example, in relation to employees with disabilities and for health and safety purposes).

The Company uses other special categories of personal data, such as information about religion, this is done for the purposes of meaningful equal opportunities monitoring or reporting.

Data used by the Company for these purposes is anonymised or is collected with the express consent of employees, which can be withdrawn at any time. Employees are entirely free to decide whether or not to provide such data and there are no consequences of failing to do so.

Information About Criminal Convictions

We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. We will use information about criminal convictions to prove eligibility to work on a particular contract i.e. for security work.

Automated Decision-Making

Our employment decisions are not based solely on automated decision-making.

For How Long Do You Keep Data?

The Company will only hold your personal data for as long as is necessary to fulfil the purposes we collected it for, including any legal, accounting or reporting requirements. The periods for which your data is held after the end of employment are 6 years for personnel, payroll, NI and monitoring purposes and 40 years for medical information.  We will not keep your personal data for longer than is necessary for the purpose. This means that data will be destroyed or erased from our systems when it is no longer required.

Who Has Access to Data?

Your information will be shared internally, including with our retained HR services consultant payroll dept and office manager.

The Company shares your data with third parties where required by law, where it is necessary in order to administer the working relationship with you or where we have another legitimate interest in doing so i.e. HMRC, bank, pension provider and health insurance provider. The following services are carried out by third party service providers: payroll, pension administrator and Health Cash Plan provider. The Company may also share your data with other third parties, for example, in the context of a sale of some or all of its business. In those circumstances the data will be subject to confidentiality arrangements.

The Company will not transfer your data to countries outside the European Economic Area.

How Does the Company Protect Data?

Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data.

Information held electronically is backed up remotely on a daily basis.

If we mistakenly issue inaccurate information to a third party, we will firstly inform the person or organisation that we are holding inaccurate information and contact the third party so that they can correct their own records.

The Company takes the security of your data seriously. The Company has internal policies and controls in place to prevent your data being lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees and retained consultants in the performance of their duties. Details of these measures are available on request. The Practice also holds a Cyber Essentials Plus Certificate for the safe keeping of all of its data.

When the Company engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. Details of these measures are available from the office manager, IT Director and IT Maintenance Provider and are retained and reviewed annually.   We will not disclose your personal data to a third party without your consent unless we are satisfied that they are legally entitled to the data. Where we do disclose your personal data to a third party, we will have regard to the eight data protection principles.

Your Duty to Inform Us of Changes

It is important that the personal information we hold about you is accurate and current. Please be sure to keep us informed if your personal information changes during your time working with us.

Your Rights

As a data subject, you have a number of rights. You can:

  • Access and obtain a copy of your data on request (known as a “data subject access request”) immediately;
  • Require the Company to change incorrect or incomplete data;
  • Request erasure of your personal information. This enables you to ask the Company to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
  • Object to the processing of your data where the Company is relying on its legitimate interests as the legal ground for processing; and
  • Ask the Company to suspend the processing of your personal data for a period of time if data it is inaccurate or there is a dispute about its accuracy or the reason for processing it.
  • Prevent the processing of your data for direct-marketing purposes
  • Prevent processing that is likely to cause unwarranted substantial damage or distress to you or anyone else
  • Object to any decision that significantly affects you being taken solely by a computer or other automated process.

If you would like to exercise any of these rights, or you have any questions about the privacy notice, please contact the Office Manager or Managing Director.

If you believe that the Company has not complied with your data protection rights, you have the right to make a complaint to the Information Commissioner’s Office. We recognise the need to treat personal data (electronic or paper copy) in an appropriate and lawful manner, in accordance with the General Data Protection Regulations 2018 (GDPR). The purpose of this notice is to make you aware of how we will handle your personal data.  It summarises the key points about how TODD Architects collects, uses and discloses data and ensures compliance with the GDPR 2018.

This notice does not form part of any employee’s contract of employment and we may amend it at any time.

External Contacts Data

TODD Architects are making continual improvements to our processes and policies, ensuring our employees understand their roles and the requirements that we must meet as an organisation.

This section of our Privacy Notice explains how we handle and process data that relates to non-employee data). If you have any questions or concerns, please contact our Office Manager.

This sets out what personal data we hold about you, how we collect it, and how we use it for the performance of contracts and marketing. It applies to anyone in our Interested Parties Register and contacts and organisations’ database, Union Square.

Data that we retain under legitimate interest to deliver a project includes:

  • Organisation Names
  • Contact Names within an Organisation
  • Addresses
  • Email addresses
  • Geolocation data
  • Insurances
  • Accreditations

What type of special category personal data do we hold about you? Why? And on what legal grounds?

We will only collect, hold and use limited types of special category data about you, as described below.

Criminal records information/DBS checks

Due to our work with education providers (Schools, Colleges and Universities), Ministry of Justice and Ministry of Defence and Aviation providers, we may ask you to complete a DBS or Security Clearance.  For the majority of our External Contacts we do not collect this data. However, should our clients require you to have these checks to enter their premises or work on their projects we will inform you.

In the context of the Performance of Contract we will use this information to assess your suitability to form part of an External Team for projects where these checks need to be in place e.g. schools, MOD schemes etc.

Our additional legal ground for using this information is that of Legal Obligation.

Why do we hold your data?

We need it to undertake a project (Performance of Contract), because you are a member of the external team on one of our projects.

We need it to comply with a legal obligation (Legal Obligation), e.g. if you are a member of the external team on one of our projects we are required to retain your details for the duration of the contract.

How do we process data?

When working on a project:

  • In emails and letters
  • In the project brief
  • On drawings (physical and PDF/other digital media)
  • In models on common data environments/clouds
  • In visualisations
  • In internal business strategy documents
  • To obtain client feedback

We confirm that we will not share your details with an external party for an unrelated interest such as marketing.

What do we use it for?

  • To invite you to an event such as an awards dinner;
  • To send you post-event follow-up information
  • At a public event, we may ask for your details as part of a promotional activity. We will use these details to contact you if you have won. Such promotional activities will be covered by this privacy notice and we will require you to agree to this before entering.
  • We may ask you for your opinion on projects or for feedback on our own service. This could be used to help improve our business performance, or for an external marketing campaign.  In this instance, we may require your personal details. If such research does take place, it will refer to this privacy notice which you must agree to before taking part. We will only use these with explicit consent which would be associated with a single article.


As required under the ARB Code of Conduct (ARB 2017), we confirm that adequate security is in place to safeguard both paper and electronic records for our clients, consultants, suppliers and staff, taking full account of data protection legislation, and that any confidential information is safeguarded.  We confirm that we have assessed and checked for compliance any external parties which process data for our practice such as our IT maintenance providers, accreditation bodies, pension and insurance providers and that they have taken reasonable precautions to safeguard personal data and meet the requirements of the current legislation.

We confirm that we adopt a proactive approach to data protection and undertake a data protection impact assessment at the outset of a project to determine what data we will need to process throughout the project, why it needs to be processed and how you will be processing it.

How do we collect your personal data?

You provide us with most of the personal data about you that we hold and use, for example on a business card, email signature or through verbal discussions.

Some of the personal data about you that we hold and use is generated from internal sources following a Business Development meeting. For example, we may record that you have particular sector experience.

Some of the personal data about you that we hold and use may come from external sources. We may also obtain information about you from publicly available sources, such as your LinkedIn profile or other media sources.


We seek consent from everyone whose personal data we collect and administer explaining exactly what it will be processed for at the outset. Consent can be revoked at any time and will be reviewed annually.

Who do we share your personal data with?

We will only share your personal data with:

Legal/professional advisers

We share any of your personal data that is relevant, where appropriate, with our legal and other professional advisers, in order to obtain legal or other professional advice about matters related to you or in the course of dealing with legal disputes with you or your company.

Our legal grounds for sharing this personal data are that: it is in our legitimate interests to seek advice to clarify our rights/obligations and appropriately defend ourselves from potential claims; it is necessary to comply with our legal obligations/exercise legal rights in connection with contract; and it is necessary to establish, exercise or defend legal claims.

Data Retention

We confirm that all drawings, models, information, data and correspondence will be retained from initial contact with our clients through to the end of the limitation period (12 years post contract/practical completion) and any limitation extension. This is to be able to respond to any legal claim or similar. However, should you request your data that we retain be deleted before the end of the limitation period, we confirm that we will do so with immediate effect.

If you are involved with a project (i.e. part of an external team), we are required to retain your details for the duration of the contract i.e. 12 years. However, we may need to retain these for longer, if there are specific legal circumstances associated with a contract that require us to hold your personal data.

If you are not involved in a project but you have provided your consent for us to hold your personal data for the purposes of contacting you e.g. for event invitations, then your consent will be requested again every year.

Your rights

You have legal rights relating to your personal data, which are outlined here:

  • The right to make a subject access request. This enables you to receive certain information about how we use your data, as well as to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • The right to request that we correct incomplete or inaccurate personal data that we hold about you.
  • The right to request that we delete or remove personal data that we hold about you where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
  • The right to object to our processing your personal data where we are relying on our legitimate interest (or those of a third party), where we cannot show a compelling reason to continue the processing
  • The right to request that we restrict our processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
  • The right to withdraw your consent to us using your personal data.  As described above, we do not normally rely on your consent as the legal ground for using your personal data. However, if we are relying on your consent as the legal ground for using any of your personal data and you withdraw your consent, you also have the right to request that we delete or remove that data, if we do not have another good reason to continue using it.
  • The right to request that we transfer your personal data to another party, in respect of data that you have provided where our legal ground for using the data is that it is necessary for the performance of a contract or that you have consented to us using it (this is known as the right to “data portability”).
  • The right to object to a decision based on automated decision-making, including the right to voice your opinion, and obtain human intervention in the decision-making.

If you have any questions or concerns about how your personal data is being used by us, you can contact our Finance Manager. Note too that you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. Details of how to contact the ICO can be found on their website:

Paul Crowe BA (Hons) DipArch RIBA MRIAI
For TODD Architects